package com.ibm.ws.security.credentials.wscred.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.credentials.CredentialProvider;
import com.ibm.ws.security.credentials.CredentialsService;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.ws.security.registry.UserRegistryService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.security.credentials.wscred_1.0.2.jar:com/ibm/ws/security/credentials/wscred/internal/WSCredentialProvider.class */
public class WSCredentialProvider implements CredentialProvider {
    private static final TraceComponent tc = Tr.register(WSCredentialProvider.class);
    static final String KEY_USER_REGISTYR_SERVICE = "userRegistryService";
    public static final String KEY_CREDENTIALS_SERVICE = "credentialsService";
    private final AtomicServiceReference<UserRegistryService> userRegistryServiceRef = new AtomicServiceReference<>("userRegistryService");
    private final AtomicServiceReference<CredentialsService> credentialsServiceRef = new AtomicServiceReference<>("credentialsService");
    static final long serialVersionUID = -6589693652933211505L;

    protected void setUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.setReference(serviceReference);
    }

    protected void unsetUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.unsetReference(serviceReference);
    }

    public void setCredentialsService(ServiceReference<CredentialsService> serviceReference) {
        this.credentialsServiceRef.setReference(serviceReference);
    }

    public void unsetCredentialsService(ServiceReference<CredentialsService> serviceReference) {
        this.credentialsServiceRef.unsetReference(serviceReference);
    }

    protected void activate(ComponentContext componentContext) {
        this.userRegistryServiceRef.activate(componentContext);
        this.credentialsServiceRef.activate(componentContext);
    }

    protected void deactivate(ComponentContext componentContext) {
        this.userRegistryServiceRef.deactivate(componentContext);
        this.credentialsServiceRef.deactivate(componentContext);
    }

    @Override // com.ibm.ws.security.credentials.CredentialProvider
    public void setCredential(Subject subject) throws CredentialException {
        Set principals = subject.getPrincipals(WSPrincipal.class);
        if (principals.isEmpty()) {
            return;
        }
        if (principals.size() != 1) {
            throw new CredentialException("Too many WSPrincipals in the subject");
        }
        setCredential(subject, (WSPrincipal) principals.iterator().next());
    }

    private Hashtable<String, ?> getUniqueIdAndSecurityNameHashtableFromSubject(Subject subject) {
        return new SubjectHelper().getHashtableFromSubject(subject, new String[]{AttributeNameConstants.WSCREDENTIAL_UNIQUEID, AttributeNameConstants.WSCREDENTIAL_SECURITYNAME});
    }

    private void setCredential(Subject subject, WSPrincipal wSPrincipal) throws CredentialException {
        String name = wSPrincipal.getName();
        String accessId = wSPrincipal.getAccessId();
        String realm = AccessIdUtil.getRealm(accessId);
        String uniqueId = AccessIdUtil.getUniqueId(accessId);
        if (AccessIdUtil.isServerAccessId(accessId)) {
            setCredential(null, subject, realm, name, uniqueId, null, accessId, null, null);
            return;
        }
        String unauthenticatedUserid = this.credentialsServiceRef.getService().getUnauthenticatedUserid();
        if (name != null && unauthenticatedUserid != null && name.equals(unauthenticatedUserid)) {
            setCredential(unauthenticatedUserid, subject, realm, name, uniqueId, null, null, null, null);
        } else if (AccessIdUtil.isUserAccessId(accessId)) {
            createUserWSCredential(subject, name, accessId, realm, uniqueId, unauthenticatedUserid);
        }
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [com.ibm.ws.security.registry.EntryNotFoundException, com.ibm.ws.security.registry.RegistryException, com.ibm.ws.security.registry.UserRegistryService] */
    private void createUserWSCredential(Subject subject, String str, String str2, String str3, String str4, String str5) throws CredentialException {
        UserRegistryService service = this.userRegistryServiceRef.getService();
        try {
            Hashtable<String, ?> uniqueIdAndSecurityNameHashtableFromSubject = getUniqueIdAndSecurityNameHashtableFromSubject(subject);
            if (uniqueIdAndSecurityNameHashtableFromSubject != null && !uniqueIdAndSecurityNameHashtableFromSubject.isEmpty()) {
                setCredential(str5, subject, str3, str, str4, null, str2, null, getUniqueGroupAccessIds(uniqueIdAndSecurityNameHashtableFromSubject, str3));
            } else if (service.isUserRegistryConfigured()) {
                UserRegistry userRegistry = service.getUserRegistry();
                if (userRegistry.getRealm().equals(str3)) {
                    List<String> uniqueGroupAccessIds = getUniqueGroupAccessIds(userRegistry, str3, str4);
                    setCredential(str5, subject, str3, str, str4, getPrimaryGroupId(uniqueGroupAccessIds), str2, null, uniqueGroupAccessIds);
                } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Requested creation of a WSCredential for an unknown realm", userRegistry.getRealm(), str3);
                }
            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected state in WSCredentialProvider, no UserRegistry", new Object[0]);
            }
        } catch (EntryNotFoundException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider", "177", this, new Object[]{subject, str, str2, str3, str4, str5});
            throw new CredentialException("Unable to find the user for this accessId: " + str2 + ". " + service.getMessage());
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider", "179", this, new Object[]{subject, str, str2, str3, str4, str5});
            throw new CredentialException("Unable to access the UserRegistry: " + service.getMessage());
        }
    }

    private void setCredential(String str, Subject subject, String str2, String str3, String str4, String str5, String str6, List<String> list, List<String> list2) throws CredentialException {
        subject.getPublicCredentials().add(new WSCredentialImpl(str2, str3, str4, str, str5, str6, null, list2));
    }

    private List<String> getUniqueGroupAccessIds(UserRegistry userRegistry, String str, String str2) throws EntryNotFoundException, RegistryException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = userRegistry.getUniqueGroupIdsForUser(str2).iterator();
        while (it.hasNext()) {
            arrayList.add(AccessIdUtil.createAccessId("group", str, it.next()));
        }
        return arrayList;
    }

    private String getPrimaryGroupId(List<String> list) {
        if (list.isEmpty()) {
            return null;
        }
        return list.get(0);
    }

    private List<String> getUniqueGroupAccessIds(Hashtable<String, ?> hashtable, String str) {
        ArrayList arrayList = (ArrayList) hashtable.get(AttributeNameConstants.WSCREDENTIAL_GROUPS);
        ArrayList arrayList2 = new ArrayList();
        if (arrayList != null) {
            arrayList2.addAll(arrayList);
            for (int i = 0; i < arrayList2.size(); i++) {
                String str2 = (String) arrayList2.get(i);
                if (!AccessIdUtil.isGroupAccessId(str2)) {
                    arrayList2.set(i, "group:" + str + "/" + str2);
                }
            }
        }
        return arrayList2;
    }

    private WSCredential getWSCredential(Subject subject) {
        WSCredential wSCredential = null;
        Iterator it = subject.getPublicCredentials(WSCredential.class).iterator();
        if (it.hasNext()) {
            wSCredential = (WSCredential) it.next();
        }
        return wSCredential;
    }

    /* JADX WARN: Code restructure failed: missing block: B:15:0x0076, code lost:
    
        if (r0.before(r0) != false) goto L16;
     */
    @Override // com.ibm.ws.security.credentials.CredentialProvider
    @com.ibm.ws.ffdc.annotation.FFDCIgnore({com.ibm.websphere.security.auth.CredentialDestroyedException.class, javax.security.auth.login.CredentialExpiredException.class})
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean isSubjectValid(javax.security.auth.Subject r8) {
        /*
            r7 = this;
            r0 = 0
            r9 = r0
            r0 = r7
            r1 = r8
            com.ibm.websphere.security.cred.WSCredential r0 = r0.getWSCredential(r1)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r10 = r0
            r0 = r10
            if (r0 == 0) goto L7b
            r0 = r10
            long r0 = r0.getExpiration()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r11 = r0
            java.util.Date r0 = new java.util.Date     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r1 = r0
            r1.<init>()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r13 = r0
            java.util.Date r0 = new java.util.Date     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r1 = r0
            r2 = r11
            r1.<init>(r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r14 = r0
            boolean r0 = com.ibm.websphere.ras.TraceComponent.isAnyTracingEnabled()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            if (r0 == 0) goto L5f
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            boolean r0 = r0.isDebugEnabled()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            if (r0 == 0) goto L5f
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            java.lang.StringBuilder r1 = new java.lang.StringBuilder     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r2 = r1
            r2.<init>()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            java.lang.String r2 = "Current time = "
            java.lang.StringBuilder r1 = r1.append(r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r2 = r13
            java.lang.StringBuilder r1 = r1.append(r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            java.lang.String r2 = ", expiration time = "
            java.lang.StringBuilder r1 = r1.append(r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r2 = r14
            java.lang.StringBuilder r1 = r1.append(r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            java.lang.String r1 = r1.toString()     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            r2 = 0
            java.lang.Object[] r2 = new java.lang.Object[r2]     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            com.ibm.websphere.ras.Tr.debug(r0, r1, r2)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
        L5f:
            r0 = r11
            r1 = 0
            int r0 = (r0 > r1 ? 1 : (r0 == r1 ? 0 : -1))
            if (r0 == 0) goto L79
            r0 = r11
            r1 = -1
            int r0 = (r0 > r1 ? 1 : (r0 == r1 ? 0 : -1))
            if (r0 == 0) goto L79
            r0 = r13
            r1 = r14
            boolean r0 = r0.before(r1)     // Catch: com.ibm.websphere.security.auth.CredentialDestroyedException -> L7e javax.security.auth.login.CredentialExpiredException -> La1
            if (r0 == 0) goto L7b
        L79:
            r0 = 1
            r9 = r0
        L7b:
            goto Lc1
        L7e:
            r10 = move-exception
            boolean r0 = com.ibm.websphere.ras.TraceComponent.isAnyTracingEnabled()
            if (r0 == 0) goto L9e
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc
            boolean r0 = r0.isDebugEnabled()
            if (r0 == 0) goto L9e
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc
            java.lang.String r1 = "CredentialDestroyedException while determining the validity of the subject."
            r2 = 1
            java.lang.Object[] r2 = new java.lang.Object[r2]
            r3 = r2
            r4 = 0
            r5 = r10
            r3[r4] = r5
            com.ibm.websphere.ras.Tr.debug(r0, r1, r2)
        L9e:
            goto Lc1
        La1:
            r10 = move-exception
            boolean r0 = com.ibm.websphere.ras.TraceComponent.isAnyTracingEnabled()
            if (r0 == 0) goto Lc1
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc
            boolean r0 = r0.isDebugEnabled()
            if (r0 == 0) goto Lc1
            com.ibm.websphere.ras.TraceComponent r0 = com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.tc
            java.lang.String r1 = "CredentialExpiredException while determining the validity of the subject."
            r2 = 1
            java.lang.Object[] r2 = new java.lang.Object[r2]
            r3 = r2
            r4 = 0
            r5 = r10
            r3[r4] = r5
            com.ibm.websphere.ras.Tr.debug(r0, r1, r2)
        Lc1:
            r0 = r9
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.credentials.wscred.internal.WSCredentialProvider.isSubjectValid(javax.security.auth.Subject):boolean");
    }
}
